155714Skris/* p5_pbev2.c */ 2280297Sjkim/* 3280297Sjkim * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project 4280297Sjkim * 1999-2004. 555714Skris */ 655714Skris/* ==================================================================== 755714Skris * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 855714Skris * 955714Skris * Redistribution and use in source and binary forms, with or without 1055714Skris * modification, are permitted provided that the following conditions 1155714Skris * are met: 1255714Skris * 1355714Skris * 1. Redistributions of source code must retain the above copyright 14280297Sjkim * notice, this list of conditions and the following disclaimer. 1555714Skris * 1655714Skris * 2. Redistributions in binary form must reproduce the above copyright 1755714Skris * notice, this list of conditions and the following disclaimer in 1855714Skris * the documentation and/or other materials provided with the 1955714Skris * distribution. 2055714Skris * 2155714Skris * 3. All advertising materials mentioning features or use of this 2255714Skris * software must display the following acknowledgment: 2355714Skris * "This product includes software developed by the OpenSSL Project 2455714Skris * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 2555714Skris * 2655714Skris * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 2755714Skris * endorse or promote products derived from this software without 2855714Skris * prior written permission. For written permission, please contact 2955714Skris * licensing@OpenSSL.org. 3055714Skris * 3155714Skris * 5. Products derived from this software may not be called "OpenSSL" 3255714Skris * nor may "OpenSSL" appear in their names without prior written 3355714Skris * permission of the OpenSSL Project. 3455714Skris * 3555714Skris * 6. Redistributions of any form whatsoever must retain the following 3655714Skris * acknowledgment: 3755714Skris * "This product includes software developed by the OpenSSL Project 3855714Skris * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 3955714Skris * 4055714Skris * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 4155714Skris * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4255714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 4355714Skris * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 4455714Skris * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 4555714Skris * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 4655714Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 4755714Skris * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 4955714Skris * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 5055714Skris * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 5155714Skris * OF THE POSSIBILITY OF SUCH DAMAGE. 5255714Skris * ==================================================================== 5355714Skris * 5455714Skris * This product includes cryptographic software written by Eric Young 5555714Skris * (eay@cryptsoft.com). This product includes software written by Tim 5655714Skris * Hudson (tjh@cryptsoft.com). 5755714Skris * 5855714Skris */ 5955714Skris 6055714Skris#include <stdio.h> 6155714Skris#include "cryptlib.h" 62109998Smarkm#include <openssl/asn1t.h> 6355714Skris#include <openssl/x509.h> 6455714Skris#include <openssl/rand.h> 6555714Skris 6655714Skris/* PKCS#5 v2.0 password based encryption structures */ 6755714Skris 68109998SmarkmASN1_SEQUENCE(PBE2PARAM) = { 69280297Sjkim ASN1_SIMPLE(PBE2PARAM, keyfunc, X509_ALGOR), 70280297Sjkim ASN1_SIMPLE(PBE2PARAM, encryption, X509_ALGOR) 71109998Smarkm} ASN1_SEQUENCE_END(PBE2PARAM) 7255714Skris 73109998SmarkmIMPLEMENT_ASN1_FUNCTIONS(PBE2PARAM) 7455714Skris 75109998SmarkmASN1_SEQUENCE(PBKDF2PARAM) = { 76280297Sjkim ASN1_SIMPLE(PBKDF2PARAM, salt, ASN1_ANY), 77280297Sjkim ASN1_SIMPLE(PBKDF2PARAM, iter, ASN1_INTEGER), 78280297Sjkim ASN1_OPT(PBKDF2PARAM, keylength, ASN1_INTEGER), 79280297Sjkim ASN1_OPT(PBKDF2PARAM, prf, X509_ALGOR) 80109998Smarkm} ASN1_SEQUENCE_END(PBKDF2PARAM) 8155714Skris 82109998SmarkmIMPLEMENT_ASN1_FUNCTIONS(PBKDF2PARAM) 8355714Skris 84280297Sjkim/* 85280297Sjkim * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm: yes I know 86280297Sjkim * this is horrible! Extended version to allow application supplied PRF NID 87280297Sjkim * and IV. 8855714Skris */ 8955714Skris 90238405SjkimX509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, 91280297Sjkim unsigned char *salt, int saltlen, 92280297Sjkim unsigned char *aiv, int prf_nid) 9355714Skris{ 94312826Sjkim X509_ALGOR *scheme = NULL, *ret = NULL; 95280297Sjkim int alg_nid, keylen; 96280297Sjkim EVP_CIPHER_CTX ctx; 97280297Sjkim unsigned char iv[EVP_MAX_IV_LENGTH]; 98280297Sjkim PBE2PARAM *pbe2 = NULL; 9955714Skris 100280297Sjkim alg_nid = EVP_CIPHER_type(cipher); 101280297Sjkim if (alg_nid == NID_undef) { 102280297Sjkim ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, 103280297Sjkim ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER); 104280297Sjkim goto err; 105280297Sjkim } 10659191Skris 107280297Sjkim if (!(pbe2 = PBE2PARAM_new())) 108280297Sjkim goto merr; 10955714Skris 110280297Sjkim /* Setup the AlgorithmIdentifier for the encryption scheme */ 111280297Sjkim scheme = pbe2->encryption; 11255714Skris 113312826Sjkim scheme->algorithm = OBJ_nid2obj(alg_nid); 114280297Sjkim if (!(scheme->parameter = ASN1_TYPE_new())) 115280297Sjkim goto merr; 11655714Skris 117280297Sjkim /* Create random IV */ 118280297Sjkim if (EVP_CIPHER_iv_length(cipher)) { 119280297Sjkim if (aiv) 120280297Sjkim memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); 121306195Sjkim else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) 122280297Sjkim goto err; 123280297Sjkim } 12455714Skris 125280297Sjkim EVP_CIPHER_CTX_init(&ctx); 126109998Smarkm 127280297Sjkim /* Dummy cipherinit to just setup the IV, and PRF */ 128280297Sjkim if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0)) 129280297Sjkim goto err; 130280297Sjkim if (EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) { 131280297Sjkim ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ASN1_R_ERROR_SETTING_CIPHER_PARAMS); 132280297Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 133280297Sjkim goto err; 134280297Sjkim } 135280297Sjkim /* 136280297Sjkim * If prf NID unspecified see if cipher has a preference. An error is OK 137280297Sjkim * here: just means use default PRF. 138280297Sjkim */ 139280297Sjkim if ((prf_nid == -1) && 140280297Sjkim EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) { 141280297Sjkim ERR_clear_error(); 142280297Sjkim prf_nid = NID_hmacWithSHA1; 143280297Sjkim } 144280297Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 14555714Skris 146280297Sjkim /* If its RC2 then we'd better setup the key length */ 14755714Skris 148280297Sjkim if (alg_nid == NID_rc2_cbc) 149280297Sjkim keylen = EVP_CIPHER_key_length(cipher); 150280297Sjkim else 151280297Sjkim keylen = -1; 15255714Skris 153280297Sjkim /* Setup keyfunc */ 15455714Skris 155280297Sjkim X509_ALGOR_free(pbe2->keyfunc); 15655714Skris 157280297Sjkim pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen); 15855714Skris 159280297Sjkim if (!pbe2->keyfunc) 160280297Sjkim goto merr; 16155714Skris 162280297Sjkim /* Now set up top level AlgorithmIdentifier */ 16355714Skris 164280297Sjkim if (!(ret = X509_ALGOR_new())) 165280297Sjkim goto merr; 166280297Sjkim if (!(ret->parameter = ASN1_TYPE_new())) 167280297Sjkim goto merr; 16855714Skris 169280297Sjkim ret->algorithm = OBJ_nid2obj(NID_pbes2); 17055714Skris 171280297Sjkim /* Encode PBE2PARAM into parameter */ 17255714Skris 173280297Sjkim if (!ASN1_item_pack(pbe2, ASN1_ITEM_rptr(PBE2PARAM), 174280297Sjkim &ret->parameter->value.sequence)) 175280297Sjkim goto merr; 176280297Sjkim ret->parameter->type = V_ASN1_SEQUENCE; 17755714Skris 178280297Sjkim PBE2PARAM_free(pbe2); 179280297Sjkim pbe2 = NULL; 18055714Skris 181280297Sjkim return ret; 18255714Skris 183280297Sjkim merr: 184280297Sjkim ASN1err(ASN1_F_PKCS5_PBE2_SET_IV, ERR_R_MALLOC_FAILURE); 18555714Skris 186280297Sjkim err: 187280297Sjkim PBE2PARAM_free(pbe2); 188280297Sjkim /* Note 'scheme' is freed as part of pbe2 */ 189280297Sjkim X509_ALGOR_free(ret); 19055714Skris 191280297Sjkim return NULL; 19255714Skris} 193238405Sjkim 194238405SjkimX509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, 195280297Sjkim unsigned char *salt, int saltlen) 196280297Sjkim{ 197280297Sjkim return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1); 198280297Sjkim} 199238405Sjkim 200238405SjkimX509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, 201280297Sjkim int prf_nid, int keylen) 202280297Sjkim{ 203280297Sjkim X509_ALGOR *keyfunc = NULL; 204280297Sjkim PBKDF2PARAM *kdf = NULL; 205280297Sjkim ASN1_OCTET_STRING *osalt = NULL; 206238405Sjkim 207280297Sjkim if (!(kdf = PBKDF2PARAM_new())) 208280297Sjkim goto merr; 209280297Sjkim if (!(osalt = M_ASN1_OCTET_STRING_new())) 210280297Sjkim goto merr; 211238405Sjkim 212280297Sjkim kdf->salt->value.octet_string = osalt; 213280297Sjkim kdf->salt->type = V_ASN1_OCTET_STRING; 214238405Sjkim 215280297Sjkim if (!saltlen) 216280297Sjkim saltlen = PKCS5_SALT_LEN; 217280297Sjkim if (!(osalt->data = OPENSSL_malloc(saltlen))) 218280297Sjkim goto merr; 219238405Sjkim 220280297Sjkim osalt->length = saltlen; 221238405Sjkim 222280297Sjkim if (salt) 223280297Sjkim memcpy(osalt->data, salt, saltlen); 224306195Sjkim else if (RAND_bytes(osalt->data, saltlen) <= 0) 225280297Sjkim goto merr; 226238405Sjkim 227280297Sjkim if (iter <= 0) 228280297Sjkim iter = PKCS5_DEFAULT_ITER; 229238405Sjkim 230280297Sjkim if (!ASN1_INTEGER_set(kdf->iter, iter)) 231280297Sjkim goto merr; 232238405Sjkim 233280297Sjkim /* If have a key len set it up */ 234238405Sjkim 235280297Sjkim if (keylen > 0) { 236280297Sjkim if (!(kdf->keylength = M_ASN1_INTEGER_new())) 237280297Sjkim goto merr; 238280297Sjkim if (!ASN1_INTEGER_set(kdf->keylength, keylen)) 239280297Sjkim goto merr; 240280297Sjkim } 241238405Sjkim 242280297Sjkim /* prf can stay NULL if we are using hmacWithSHA1 */ 243280297Sjkim if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1) { 244280297Sjkim kdf->prf = X509_ALGOR_new(); 245280297Sjkim if (!kdf->prf) 246280297Sjkim goto merr; 247280297Sjkim X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid), V_ASN1_NULL, NULL); 248280297Sjkim } 249238405Sjkim 250280297Sjkim /* Finally setup the keyfunc structure */ 251238405Sjkim 252280297Sjkim keyfunc = X509_ALGOR_new(); 253280297Sjkim if (!keyfunc) 254280297Sjkim goto merr; 255238405Sjkim 256280297Sjkim keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2); 257238405Sjkim 258280297Sjkim /* Encode PBKDF2PARAM into parameter of pbe2 */ 259238405Sjkim 260280297Sjkim if (!(keyfunc->parameter = ASN1_TYPE_new())) 261280297Sjkim goto merr; 262238405Sjkim 263280297Sjkim if (!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM), 264280297Sjkim &keyfunc->parameter->value.sequence)) 265280297Sjkim goto merr; 266280297Sjkim keyfunc->parameter->type = V_ASN1_SEQUENCE; 267238405Sjkim 268280297Sjkim PBKDF2PARAM_free(kdf); 269280297Sjkim return keyfunc; 270238405Sjkim 271280297Sjkim merr: 272280297Sjkim ASN1err(ASN1_F_PKCS5_PBKDF2_SET, ERR_R_MALLOC_FAILURE); 273280297Sjkim PBKDF2PARAM_free(kdf); 274280297Sjkim X509_ALGOR_free(keyfunc); 275280297Sjkim return NULL; 276280297Sjkim} 277